On Mon, 2 Mar 2020 at 17:58, Richard Henderson
<richard.hender...@linaro.org> wrote:
>
> We fail to validate the upper bits of a virtual address on a
> translation disabled regime, as per AArch64.TranslateAddressS1Off.
>
> Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
> ---
> target/arm/helper.c | 33 ++++++++++++++++++++++++++++++++-
> 1 file changed, 32 insertions(+), 1 deletion(-)
>
> diff --git a/target/arm/helper.c b/target/arm/helper.c
> index addbec91d8..0ef32d3c24 100644
> --- a/target/arm/helper.c
> +++ b/target/arm/helper.c
> @@ -11634,7 +11634,38 @@ bool get_phys_addr(CPUARMState *env, target_ulong
> address,
> /* Definitely a real MMU, not an MPU */
>
> if (regime_translation_disabled(env, mmu_idx)) {
> - /* MMU disabled. */
> + /*
> + * MMU disabled. S1 addresses are still checked for bounds.
> + * C.f. AArch64.TranslateAddressS1Off.
> + */
> + if (is_a64(env) && mmu_idx != ARMMMUIdx_Stage2) {
This looks weird -- why do we care about whether the current
EL is aarch64, rather than looking at the controlling EL
for the translation regime ?
thanks
-- PMM
